Martin,
there is no entries in /etc/hosts for the freeipa servers on the client.
the clients hosts own entry is there with fqdn first.

Advertising

Because you mentioned it, i added the hostname of both freeipa server to the
hosts file on the client. It actually ran and setup the client. However it did
get the following errors at the end after it did kerberos config....
=======
Configured /etc/krb5.conf for IPA realm MYDOMAIN.COM
Traceback (most recent call last):
File "/usr/sbin/ipa-client-install", line 2377, in <module>
sys.exit(main())
File "/usr/sbin/ipa-client-install", line 2363, in main
rval = install(options, env, fstore, statestore)
File "/usr/sbin/ipa-client-install", line 2135, in install
delete_persistent_client_session_data(host_principal)
File "/usr/lib/python2.6/site-packages/ipalib/rpc.py", line 124, in
delete_persistent_client_session_data
kernel_keyring.del_key(keyname)
File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py", line 99,
in del_key
real_key = get_real_key(key)
File "/usr/lib/python2.6/site-packages/ipapython/kernel_keyring.py", line 45,
in get_real_key
(stdout, stderr, rc) = run(['keyctl', 'search', KEYRING, KEYTYPE, key],
raiseonerr=False)
File "/usr/lib/python2.6/site-packages/ipapython/ipautil.py", line 295, in run
close_fds=True, env=env, cwd=cwd)
File "/usr/lib64/python2.6/subprocess.py", line 639, in __init__
errread, errwrite)
File "/usr/lib64/python2.6/subprocess.py", line 1220, in _execute_child
raise child_exception
OSError: [Errno 2] No such file or directory
=======
Is that normal?
Do i need to add entries to the hosts file on every client?
Regards,
Les
________________________________________
From: Martin Kosek [mko...@redhat.com]
Sent: Friday, November 29, 2013 8:49 PM
To: Les Stott; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] gssapi sasl error - only picking up short hostname
when running ipa-client-install (and failing)
On 11/29/2013 09:16 AM, Les Stott wrote:
> Hi,
>
> Recently installed freeipa on two servers in multi-master mode. We want to
> have a central authentication system for many hosts. Environment is RHEL 6.4
> for servers, RHEL 6.1 for the first client host, standard rpm packages used -
> ipa-server-3.0.0-26.el6_4.4.x86_64 and ipa-client-3.0.0-37.el6.x86_64.
>
> I am now trying to add the first linux host to freeipa via ipa-client-install.
>
> When I run ipa-client-install on a host in debug mode it fails with errors
> below (I have changed hostnames and ip's, freeipa-1.mydomain.com
> 192.168.1.22 and freeipa-2.mydomain.com 192.168.1.23, host client - host1
> 192.168.1.15)
>
> trying to retrieve CA cert via LDAP from ldap://freeipa-1.mydomain.com
> get_ca_cert_from_ldap() error: Local error SASL(-1): generic failure: GSSAPI
> Error: Unspecified GSS failure. Minor code may provide more information
> (Server ldap/freeip...@mydomain.com not found in Kerberos database)
> {'info': 'SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
> Minor code may provide more information (Server ldap/freeip...@mydomain.com
> not found in Kerberos database)', 'desc': 'Local error'}
>
> The Kerberos logs on the server (free-ipa-1) show
> Nov 29 01:46:14 freeipa-1.mydomain.com krb5kdc[1616](info): TGS_REQ (4 etypes
> {18 17 16 23}) 192.168.1.15: UNKNOWN_SERVER: authtime 0, admin@ MYDOMAIN.COM
> for HTTP/ freeip...@mydomain.com, Server not found in Kerberos database
>
> The logs indicate that the service name is being used with the short hostname
> (HTTP/ freeip...@mydomain.com<mailto:freeip...@mydomain.com>). The FreeIPA
> server has records for HTTP/
> freeipa-1.mydomain....@mydomain.com<mailto:freeipa-1.mydomain....@mydomain.com>.
> I can see these in the web interface. I believe this is where it is
> stumbling.
>
> I've been banging my head against the wall on this one for a couple of days.
> Everything I've found says make sure you have working dns, make sure you can
> reverse lookup ip's, make sure hostnames are fqdn, make sure /etc/hosts on
> server has ip's for servers listed with fqdn first and shortname second. I've
> done all that.
What about /etc/hosts on the clients? Do they also have FQDN first in case they
have server IP in there?
Martin
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users